Most important tip = use multiple independent backups of all important data. If any account gets compromised, you don't lose your data, which is the most important thing.
I think it's best to use the "cloud" 𝒑𝒍𝒖𝒔 external. So I individually back up to 0, and -1 generations but it's so cheap, I also keep the -2 generation.
100% agree. I have several "cold" backups with full disk backups as images on (encrypted!) hard disks. 1x local backup in my home 1x Mom's house (+ 1x as rotating backup) 1x workplace 1x car 1x in my bug out bag I used old unused hard disks and I only need about 1 - 1.5 TB HDDs.
here is another tip, dont store anything on the internet. I come from when the internet started, to think someone would send off their important data to a website and expect that website to be secure absolutely stupifies me.
@@shawnio Hm but what's the point of cloud accounts then if not to make data available anywhere you go? The problem is if it is your only available source of that particular data...
Told everyone I know they are fooling themselves if they think 2FA in a phone means total security. No one listens. So relieving to arrive here, you won a new subscriber
Things make so much sense now!!! My friend got his account hacked on a website after downloading a suspicious file, and we were super confused because he didn't type his password anywhere. Now after learning this Cookie thing I can imagine how it happened! Thank you so much for this video!
One of the biggest grief I have against 2FA is that many people I'm seeing use it as an excuse for having the browser record passwords and pre-fill them. In the end it's just a 1FA but with a very short code, and it's much worse than a strong password. The first ever rule to enforce before even deploying 2FA is to configure browsers to never ever record passwords for sites! A password should only be known from the user, not from a program, otherwise it authenticates the program, not the user.
@@fyks6447 I personally prefer to build memorizable passwords that involve some common radicals that depend on the category of the site, with some characters that depend on the site itself. It can occasionally require me 2 or 3 attempts to figure the right one, but that way they do not appear anywhere outside of my head. The biggest difficulty is to deal with sites having some horrible rules. In this case I can take some notes such as tr ',;:!' '1234' to know what needs to be replaced in my common radical without even disclosing which char is in use among the set. It's really not that difficult.
@@levieux1137 How do you feel about local password managers? Personally I use the open source one, KeePass. It encrypts the database, has options for extra security on the database as well as different ways to access it aside from a password, has protection for snooping when copy pasting (if I recall), and will clear the clipboard, can be configured to auto type instead of copy paste. It has the option to add extra entropy in generated passwords by user random input, like moving the mouse around. And can be set to lock the database after some inactivity. But most importantly, you are in full control of your database. I don't like those online services. But I couldn't do without KeePass now. I have nearly 200 saved accounts now, accumulated over years. All with unique passwords as strong as each account allows. I couldn't keep up with it manually.
I used to think like you did then age hit, my memory started failing me, and I found myself locked out of several sites as I required dozens of passwords. A password manager is the way to go here with one STRONG passphrase of atleast 20 characters. Also obligatory XKCD 936.
Not to forget using the 2FA device as the primary access platform making it pretty useless. Worse , banks try to push customers towards mobile apps and then again 2FA on the same device 🤦♂️🙈
@@joergkalisch7749 Yeah, the idea too of having it all tied to my phone.. which can be broken, lost, stolen, etc. feels scary to me. I use WinAuth as my primary means of 2FA, it's been pretty good so far and I feel pretty in control of my 2FA data with it. Also allows me to setup redundant methods for 2FA so I'm not ever locked out due to a single device failure, etc.
The most common way sadly is just sending the end user an MFA push to their phone and waiting for them to hit approve out of habit... or send them so many that they hit approve just to shut it up (MFA Fatigue). There's also a social engineering aspect like what happened to the guy at Uber.
Yes, we had an instance of that. We then switched to only use SMS text messages ONLY. Within Microsoft options you can set which MFA options - preventing the use of an app. They then cannot simply hit 'Approve'
@@BazWhite SMS has issues too. Another way is to enable number matching in Microsoft authenticator. That way they have to type in the number they see on the computer screen.
@@ronescholz-nielsen3559 you should be able to enable it for all users. Microsoft announced recently that they’re going to start enabling it by default.
@@jonathandavis3312 okay. It might be released shortly then. I just haven’t seen it yet. Looked for it the other day then adding some Fido keys. Kinda strange that it’s not added yet, since it has been an option for the private/consumer part of 365 for a while.
One of the main ideas behind 2FA is to use more than one device, so that an attacker has to compromise more than one system. I know loads of people that do for example home banking from their phone while authenticating with a 2FA app on the same phone, which renders the whole idea pointless, the attacker only needs to compromise that one device, your phone.
I actually do this. Ppl call me crazy haha. I go beyond and actually have multiple platforms for authentication purposes. The login and authentication devices are almost always not the same, whether PC, Android phone or apple ipad. My family and corporate bosses always wanted me to set up the authentication method for them on the same device for convenience and cost savings, and I never accept those requests, even offering to resign (my employer) if they insist. It's something I absolutely refuse to be even remotely connected if shit goes south.
The one thing that 2FA is supposed to do is to make it insufficient to just know the password. You also have to Own something. The problem is not if it's on the same device. The biggest problem is phishing, and people giving up their passwords voluntarily, either by being lied to, or by having very simple passwords. That's the VAST majority of account compromises that happen. Physical device compromise is insanely rare and difficult to pull off, since today's devices are reasonably secure. That's not the scope of 2FA. Nor should it be, as any layer of additional security makes the system simply harder to use, and if you go for securing the very unlikely vectors of attack, you make the security measure very unattractive and people will just not use it. Best example of overzealous security policies that don't actually protect against probable attacks, is having a corporate policy to change your password. This ends up being less secure because people are more likely to store passwords in unprotected places rather than remembering them, or make people forget their latest password, get locked out frequently, and having an IT department that has to bypass this security measure entirely, leaving you exposed to social engineering attacks. 2FA that force you to have an actual physical device or an extra program just for that, is just bad.
Top tier video appreciate you willing to explain this to the masses! One small thing, you are saying retrieve wrong, you're focusing on the I in the word change that sound to an E so: RE-TREE-VE rather than RE-TRY-ve. (please don't take that the wrong way, I would want someone to tell me if I was pronouncing something wrong) with that said your English is amazing
This is pure professionalism !! with very much knowledge to apply…that achieved only by listening to him to understand…. ! and not listening to just reply back… ! ✅ Thanks for teaching me ,Master!.
It is always some kind of combination of the 3 things: something that you know (your password/paraphrase), something you have (Ubikey, otp token generator) and something you are (fingerprints, voice bio capture and verify). Thanks, Yaniv -- this is a good intro into the MFA world. חזק וברוך!
First time I've seen one your videos, it made me subscribe to your channel. Good explanation, and the video itself is very professional. Keep it going!
Thank you for your compact roundup on this 2FA flaws topic. Eye opener. Brilliant integrated videoscreen background picture of a nice city and sofa by the way ;)
I am not sure I am well-qualified for the talks about cyber-security, but... 6:38 well sure, they re-route traffic, but SSL is commonly used to encrypt traffic, and even if the authentification token is somewhere in there, the hacker won't be able to get it through MITM attack... Unless the traffic is encrypted not before, but after proxy? And assuming (which is bloody reasonable) the encryption is assymetric, the hacker will not have the key to decrypt traffic... So how's Evilgnix supposed to work?
You mentioned in the vid that you’ll include a link in the description to your recommendation for a password manager. I couldn’t find this anywhere, could you please let us know which one you recommend? Thanks very much
@@Sissy_Scarlett bitwarden is good and one of the most common one. It uses and open source code while 1Password has proprietary one. Yet 1Password is more secured in my opinion. Look at this link: if you still have question let me know. cybernews.com/best-password-managers/bitwarden-vs-1password/
Nice piece of information. So, speaking of security levels, in order from highest to lowest, would my listing be correct? 1) Hardware Key 2) Authenticator Mobile App 3) Mail Verification 4) SMS Verification
One simple tip. In referring to the mention in the video that a hacker could see the user of the device. If you do NOT use your webcam.....put a shield , pysical, before the camara eye . This makes it impossible for any hacker to use that camera even when he can activate the webcam due to a hack.
I only understood about 20% of what he said but it was a very helpful 20%. I use a password manager and thought I a 15 character PW was overkill; time to rethink that for sure.
By the way, there is one more. Even if you have the cookie for the username, password, and token, Google will also check the IP address gateway you are using to make sure it is you. if not, they will send an sms to you. If you allow it.
What security key would work for for most of the common applications say emails say gaming battle net steam and stuff like that. That way say I wouldn't have to get 4 or 5 of the security keys for them is my question?
There will come a time when not even super long passwords are not enough. With advances in quantum computing almost any sequence can be decrypted in seconds to minutes, eventually.
While some forms of encryption are vulnerable to quantum computing, hash functions are not, as far as anybody's been able to tell. So your password is still secure
Recommend you frame yourself more prominently in your videos. If you frame your figure like that, you diminish your presence. Look up videos on "cinematic composition" here on YT to learn what would be beneficial.
What do you say about the risk of using password manager? If compromised it like the whole of your power house is exposed. I have always been sceptical about it.
Very good point . In nutshell the right approach involves combination of strong security practices, risk management and on going vigilance. If you follow it you can minimize the risk of a password manager compromise and protect your online accounts and personal info. I can elaborate if you wish
SMS is not really 2FA, because for 2 factors to work, one has to be something you know and next is something you own. SMS is not secure and hackers could use MITM attack to intercept the one time passcode. Or, they could use a phishing attack and exploit vulnerabilities in the SMS account recovery process to get hold of the verification code. While you are still in procession of your phone (something you own).
Why does the number for 2FA have to be so long? I would think a 4 digit number is plenty as it is a random number and the site can easily limit guesses to 3 and generating a new random number if you fail 3 times. Instead I get a 10 digit number texted to me. I don't understand why this is nessisary?
where are you located hoffman? im a devops engineer, and i like what you do, i think we're neighbors i would like to see more content creators from our country making video in english sharing our vast nation high tech knowledge and expertise way to go
If you are abroad and the second piece of authentication is sent over the phone, you may face a complete failure for plenty of reasons, one of which is your phone inability to work with the local system.
You didn't mention the SS7 man in the middle attacks that are common as well. Also OpenBTS (and similar professional equipment depending on your connections and money) can be used to intercept SMS's .
hi i wanted to ask does clearing cookies from google or logging out from any website that has your information protect you from when you download a exe file that contains a virus?
Mr Hoffman, how about a way to mitigate the SMS attack is to use a second number/sim unknown to anyone else but you. And use that number to receive sms tokens. Not bulletproof but minimizes the impact of sim swap for your main sim/number which can be easily found.
All of this stuff requires being able to attack a user's browser, which means the attacker has at least network access, or some form of man in the middle. For the most part, the idea behind 2FA is not to protect from these two situations. 2FA is merely a method of protecting against what you "have" vs what you "know". As a hacker, you may know a password, but you may not have a hardware token. Hacking a way through that with man in the middle or direct network access is not the point of 2FA, other tools are supposed to protect a user from that.
- Get your devs some pentest, or security training. If they can see how attacks are done in real life and what caused the malfunction in the code, they are more likely to write it better - Reduce your software stack. If your tech stack has more letters in it than the whole lgbt acronym, it's hosted in cloud with CDN in front of it and the app just displays a random picture of a puppy every time you visit it, it's over engineered. - Use tested and verified open source projects when you can and contribute if it's missing a functionality, instead of writing the thing from scratch. Easier to check the code for problems and you give back to the community a little. Let's be honest, we all owe it a lot - Don't use Javascript unless... Just don't
@@mucholangs Well, that's kinda the problem. JS is used everywhere, even in places where it doesn't have to be. It's often installed just 'cause, even though the project doesn't need / use it (static websites). Just of the top of my head, I remember 3 major incident involving Java script. - There was the infamous Log4j. Library used by what seemed to be every project on earth with vulnerability, which allowed for remote shell. And it was so stupidly simple to take advantage of it, that you just had to type command into Minecraft chat to misuse it. - Recently, there was a bug in library which handled (ECDSA ?) certificate checking. Problem was that the code didn't check if the client data wasn't 0, which breaks the math that does the actual check. The guy who wrote the library didn't even bother to read the wiki page, where it says in the first few paragraphs, that this is a mandatory check for things to work. Result was that you could just send a few zeroes instead of your certificate and it would be considered valid. - Then there was the leftpad incident. Which is more of a funny story than a security vulnerability, but it just shows that Javascript might have a very deep problem with its package management system. I guess it's kinda inevitable with popular languages (I wonder if Python will be a subject to this as well) and a lot of unskilled people starting their career with it cause of hype. Especially when it's a publicly facing code that can be accessed and broken by more skilled individuals around the world. But considering these (and much more over the years), I consider Javascript a really big *hit hole that everyone keeps using and every now and then, things just overflow.
@@lamjeri Vulnerabilities exist in every software. That is one of the reasons that patches, and new versions are constantly being released. I remember when SQL injection attacks were so common and trivial in MySQL. I also recall when popup bombs were common in Javascript. But all those have been fixed. The Log4 vulnerability you mentioned has been fixed too. Telling people to not use Javascript makes no sense to me.
@@mucholangs Yes, that is true. Some software is worse than others though. Injection attacks are not problem of the language itself, but wrong handling of user input. I don't argue that it's needed currently, as there is virtually no alternative in certain use cases. But I do think that the language has some deeply embedded problems and the combination of inexperienced people and publicly facing code is disastrous.
Good evening. Do you think the password managers or the passcode storage is a safer place to store all you pass codes for various accounts. Will it be all the eggs is one basket? It's always a frequent hassle "forget you password?' Could you please comment. Thanks.
I was wondering why my old telecom sent me a sim from their main company (smart) and i was using another sim (sub service) from a sub company from them. I never asked for a sim update also. Then next thing i know my devices were all being hacked and controlled.
Wish I had seen this when it got posted. I fell for it just last week (No harm done, I was quick enough noticing something went wrong and fixed it right away)
@@jimmybrad156 I trusted a link from a long time steamfriend. Sadly it seems he fell for it too. A "vote" link for some compteition. Knowing he was into modding I trusted the link, "logged in with Steam" and basically noticed straight away something was funny (login procedure was ever so slightly bugged) so gladly I was quick enough to avoid major damage. A few friends were contacted with the same message I got so I was able to warn them not to click. Never trust a link on Steam, not even from long time friends.
Not sure I like the suggestions for a password keeper. Why you like those specifically makes me feel you like it because they have ads that support this channel.
Yaniv, I love your videos buddy but you need to stop saying "P"ishing, as it cracks me up each time, as in English or slang UK dialects of the language, it means the same as the act of peeing, urinating or relieving one's self :-) We pronounce it "F"ishing (like you would do with a rod or net), even though the spelling is Phishing. That aside, thanks for great explanatory videos even though I am an IT veteran of 36 years myself. I started as a techy nerd in the early 80's with the first home computer then it became a career and business through the evolution of distributed systems, networks and the internet. I'm still a nerd at heart, although I'm a more senior one these days, so keep them coming!👍
I think password managers are a terrible idea as you're effectively trusting an unknown entity on the Internet with all of your passwords. Wasn't one of them compromised recently?
@@yanivhoffman some one hacked my fb account using that technique...can he login again with that cockie with him despite of I already changed password after that immediately.
i wish there was a way to country block logins or make it very region locked and rather than just way way of loging in you have to verify authenticator app and sms.
Thanks for the video. I'm a software developer and not a security expert, a distinction a lot of people cannot understand. About a week ago my neighbours came around to my house to explain that their bank had blocked their account. It seems that one of them had accidentally installed an app that was malware on the phone (some kind of PDF AI scanner) but that phone also had an app from the bank. They wanted my help to try and retrieve as much of their own information from the phone before they planned to do a factory reset. What happened next surprised me, it was an Android phone and we opened the play store and went to play protect. It immediately came back with an alert that some harmful software had already been detected and removed from the phone. My question is then, does Android actively scan for such harmful software? Is it possible that other apps running on the phone have access to an API so that they can be alerted if malware is detected and so restrict their own functions? I mean how did their bank know that one of them had malware and to block their account just in case?
It may be that the malware attempted an illegal action on the banking software, which the bank detected and locked their account. This is rather a testament to how a bank should react to anomalies and attempted attacks.
The SIM swap at least where I am is not a problem as you would need to somehow do a real life impersonation with a stolen ID card at the service providers store. If you somehow managed that the owner of the phone is likely to notice that his phone stopped working fairly quickly so this would only really work in a highly oragnized and targeted attempt.
SIM swap attacks are a huge issue for One Time Passcodes that financial institutions send before allowing you to do certain actions with your accounts. For example, a sim swapped device looks like the trusted user, allows them to add a new Zelle payee and the money is transferred out of the account in mere moments. In this case, the damage was stealing your money not your identity.
@@cristibaluta In most cases, SIM swap is the result of social engineering / ID theft. The fraudster convinces the mobile carrier to port the SIM from the current device to a device they control. When this happen, the real user's phone stops working and the phone the fraudster controls is enabled. From this point, 2FA is sent to this new device. This allows the fraudster to cause a lot of damage. This is why the suggestion is to not have all 2FA go to the same device / app.
@@AxGryndr yes but how exactly will the thief get my Sim without impersonating me at the local service provider shop? Where I am the shop is not going to sell you a SIM copy without disabling the old one and the shop will want the actual contract signer for the phone number to be present (with ID) before making you a new SIM, so you will need to steal the persons identity first before actually getting the SIM copied. So how exactly are they going to get my SIM without literally stealing my phone or doing a Mission impossible face mask trick (as just making a convincing copy of the identity card does not work, since they write in the number and into the system and your mandated pic is going to show up in the program)?
You have conflated 2FA with '2 Step Authentication'. Two very different things. 2FA being much more secure. Unfortunately, you are not alone as an IT professional in failing to make the distinction.
One of the most detailed, serious and professional channel I've ever found
Wow 🤩 thx a lot
true
AND a nice office/hotel room view, assuming it was real i mean
@@mos8541 it’s my house :) so I will share the good feedback with my wife 😂
Most important tip = use multiple independent backups of all important data. If any account gets compromised, you don't lose your data, which is the most important thing.
I think it's best to use the "cloud" 𝒑𝒍𝒖𝒔 external. So I individually back up to 0, and -1 generations but it's so cheap, I also keep the -2 generation.
100% agree. I have several "cold" backups with full disk backups as images on (encrypted!) hard disks.
1x local backup in my home
1x Mom's house (+ 1x as rotating backup)
1x workplace
1x car
1x in my bug out bag
I used old unused hard disks and I only need about 1 - 1.5 TB HDDs.
100%
here is another tip, dont store anything on the internet. I come from when the internet started, to think someone would send off their important data to a website and expect that website to be secure absolutely stupifies me.
@@shawnio Hm but what's the point of cloud accounts then if not to make data available anywhere you go? The problem is if it is your only available source of that particular data...
Told everyone I know they are fooling themselves if they think 2FA in a phone means total security. No one listens. So relieving to arrive here, you won a new subscriber
Maybe the best video on TH-cam regarding 2FA. Thanks a lot for your valuable insights. Enlightening!
Thank you buddy ❤️
But This Video Is Paid
@@i11Playz nothing sponsored . Not true
@@i11Playz where's your proof for your bold claim?
Things make so much sense now!!!
My friend got his account hacked on a website after downloading a suspicious file, and we were super confused because he didn't type his password anywhere. Now after learning this Cookie thing I can imagine how it happened!
Thank you so much for this video!
This should be shown in every school, uni and every company.. would minimize security risks by A LOT
One of the biggest grief I have against 2FA is that many people I'm seeing use it as an excuse for having the browser record passwords and pre-fill them. In the end it's just a 1FA but with a very short code, and it's much worse than a strong password. The first ever rule to enforce before even deploying 2FA is to configure browsers to never ever record passwords for sites! A password should only be known from the user, not from a program, otherwise it authenticates the program, not the user.
@@fyks6447 I personally prefer to build memorizable passwords that involve some common radicals that depend on the category of the site, with some characters that depend on the site itself. It can occasionally require me 2 or 3 attempts to figure the right one, but that way they do not appear anywhere outside of my head. The biggest difficulty is to deal with sites having some horrible rules. In this case I can take some notes such as tr ',;:!' '1234' to know what needs to be replaced in my common radical without even disclosing which char is in use among the set. It's really not that difficult.
@@levieux1137 How do you feel about local password managers? Personally I use the open source one, KeePass. It encrypts the database, has options for extra security on the database as well as different ways to access it aside from a password, has protection for snooping when copy pasting (if I recall), and will clear the clipboard, can be configured to auto type instead of copy paste. It has the option to add extra entropy in generated passwords by user random input, like moving the mouse around. And can be set to lock the database after some inactivity.
But most importantly, you are in full control of your database. I don't like those online services. But I couldn't do without KeePass now. I have nearly 200 saved accounts now, accumulated over years. All with unique passwords as strong as each account allows. I couldn't keep up with it manually.
I used to think like you did then age hit, my memory started failing me, and I found myself locked out of several sites as I required dozens of passwords.
A password manager is the way to go here with one STRONG passphrase of atleast 20 characters. Also obligatory XKCD 936.
Not to forget using the 2FA device as the primary access platform making it pretty useless. Worse , banks try to push customers towards mobile apps and then again 2FA on the same device 🤦♂️🙈
@@joergkalisch7749 Yeah, the idea too of having it all tied to my phone.. which can be broken, lost, stolen, etc. feels scary to me. I use WinAuth as my primary means of 2FA, it's been pretty good so far and I feel pretty in control of my 2FA data with it. Also allows me to setup redundant methods for 2FA so I'm not ever locked out due to a single device failure, etc.
The most common way sadly is just sending the end user an MFA push to their phone and waiting for them to hit approve out of habit... or send them so many that they hit approve just to shut it up (MFA Fatigue). There's also a social engineering aspect like what happened to the guy at Uber.
Yes, we had an instance of that. We then switched to only use SMS text messages ONLY. Within Microsoft options you can set which MFA options - preventing the use of an app.
They then cannot simply hit 'Approve'
@@BazWhite SMS has issues too. Another way is to enable number matching in Microsoft authenticator. That way they have to type in the number they see on the computer screen.
@@jonathandavis3312 has that new method been released yet? I’ve heard about a release date of 28th of February, but haven’t seen it on my tenant yet.
@@ronescholz-nielsen3559 you should be able to enable it for all users. Microsoft announced recently that they’re going to start enabling it by default.
@@jonathandavis3312 okay. It might be released shortly then. I just haven’t seen it yet. Looked for it the other day then adding some Fido keys.
Kinda strange that it’s not added yet, since it has been an option for the private/consumer part of 365 for a while.
Thank you Yaniv for the detailed information. This deserves a sequel.
Thank you 🙏
One of the main ideas behind 2FA is to use more than one device, so that an attacker has to compromise more than one system. I know loads of people that do for example home banking from their phone while authenticating with a 2FA app on the same phone, which renders the whole idea pointless, the attacker only needs to compromise that one device, your phone.
I actually do this. Ppl call me crazy haha. I go beyond and actually have multiple platforms for authentication purposes. The login and authentication devices are almost always not the same, whether PC, Android phone or apple ipad.
My family and corporate bosses always wanted me to set up the authentication method for them on the same device for convenience and cost savings, and I never accept those requests, even offering to resign (my employer) if they insist. It's something I absolutely refuse to be even remotely connected if shit goes south.
is that still true if you use biometric login for your banking app?
The one thing that 2FA is supposed to do is to make it insufficient to just know the password. You also have to Own something.
The problem is not if it's on the same device. The biggest problem is phishing, and people giving up their passwords voluntarily, either by being lied to, or by having very simple passwords. That's the VAST majority of account compromises that happen.
Physical device compromise is insanely rare and difficult to pull off, since today's devices are reasonably secure. That's not the scope of 2FA. Nor should it be, as any layer of additional security makes the system simply harder to use, and if you go for securing the very unlikely vectors of attack, you make the security measure very unattractive and people will just not use it. Best example of overzealous security policies that don't actually protect against probable attacks, is having a corporate policy to change your password. This ends up being less secure because people are more likely to store passwords in unprotected places rather than remembering them, or make people forget their latest password, get locked out frequently, and having an IT department that has to bypass this security measure entirely, leaving you exposed to social engineering attacks.
2FA that force you to have an actual physical device or an extra program just for that, is just bad.
Who are all of these "loads of people" you know? I need to know one of them.
Has nothing to do with switching devices once they phish you on one and get your credentials and information they need your account is useless to them
Yaniv, excellent information! First time for me on your channel. Now I’m looking forward to the next one. Thanks!
Thank you ! Next one will be released today (Wednesday , 9am Est ) and super interesting on Hacking SCADA systems with Master Hacker OccupyTheWeb.
I wonder how could I missed this channel. Great content and nice explanation.
Thx so much
The YT algo has showered favour upon you, sir... and I'm really glad it did!
Top tier video appreciate you willing to explain this to the masses! One small thing, you are saying retrieve wrong, you're focusing on the I in the word change that sound to an E so: RE-TREE-VE rather than RE-TRY-ve. (please don't take that the wrong way, I would want someone to tell me if I was pronouncing something wrong) with that said your English is amazing
Thanks is for this. This is what should be on TH-cam, not all the other crap. 👍🏼👍🏼
Thx a lot
what ar you some sort of content censor person? whats "crap" to you mite actually be mediocre or even so-so to everyone else.... SFMF
This is pure professionalism !! with very much knowledge to apply…that achieved only by listening to him to understand…. ! and not listening to just reply back… !
✅
Thanks for teaching me ,Master!.
It is always some kind of combination of the 3 things: something that you know (your password/paraphrase), something you have (Ubikey, otp token generator) and something you are (fingerprints, voice bio capture and verify).
Thanks, Yaniv -- this is a good intro into the MFA world.
חזק וברוך!
True and important view. Thx a lot
First time I've seen one your videos, it made me subscribe to your channel. Good explanation, and the video itself is very professional. Keep it going!
3 minutes in and i had to hit the subscribe button!
thanks for all that you do. :)
Wow so nice to hear. Thank you
To prove identity, one can provide:
- something they know
- something they have
- something they are
Hacker's will need user's consent anyway which they can obtain by tricking us in their ways. So, be aware & alert ! Thankyou 🙏
Thank you for your compact roundup on this 2FA flaws topic. Eye opener. Brilliant integrated videoscreen background picture of a nice city and sofa by the way ;)
If someone from Isreal is teaching about hacking, I'm listening. They are world class.
Thx 🙏 😂
I am not sure I am well-qualified for the talks about cyber-security, but...
6:38 well sure, they re-route traffic, but SSL is commonly used to encrypt traffic, and even if the authentification token is somewhere in there, the hacker won't be able to get it through MITM attack... Unless the traffic is encrypted not before, but after proxy? And assuming (which is bloody reasonable) the encryption is assymetric, the hacker will not have the key to decrypt traffic... So how's Evilgnix supposed to work?
amazing video you clearly explained everything top notch!
you earned a sub.
Thank you so much!!!! Appreciate it
You mentioned in the vid that you’ll include a link in the description to your recommendation for a password manager. I couldn’t find this anywhere, could you please let us know which one you recommend? Thanks very much
Yes sorry - added two of my recommendations (1) 1Password and (2) NordPass also (3) RoboForm is good in my view
@@yanivhoffman what about bitwarden? I am using it right now
@@Sissy_Scarlett bitwarden is good and one of the most common one. It uses and open source code while 1Password has proprietary one. Yet 1Password is more secured in my opinion. Look at this link: if you still have question let me know. cybernews.com/best-password-managers/bitwarden-vs-1password/
@@yanivhoffman it's better than using no password manager tho, right?i will switch to 1password when i have good money.
@@Sissy_Scarlett yes ofcourse.
Nice piece of information. So, speaking of security levels, in order from highest to lowest, would my listing be correct?
1) Hardware Key
2) Authenticator Mobile App
3) Mail Verification
4) SMS Verification
Yes 👍
First time here, Subscribed!!
I'm not English Native speaker and now i know how the people it's hard to understand me. 😂😂😂
Respect mate !
And awesome content
One simple tip. In referring to the mention in the video that a hacker could see the user of the device.
If you do NOT use your webcam.....put a shield , pysical, before the camara eye . This makes it impossible for any hacker to use that camera even when he can activate the webcam due to a hack.
Hi, great video! Does using a VPN could bypass the man in the middle proxy hackers (as mentioned around 6:00) ?
I was wondering the same thing.
Much awaited video
Thank you 🙏
Super interesting, thank you so much!
Thank you 🙏
Awesome thanks. I just subscribed. They should teach this stuff in schools.
Thx a lot
Thank you for the great information.
Good to know ❤
Happy you liked it
Thank you man please keep doing what you do...
Thank you for the support
I only understood about 20% of what he said but it was a very helpful 20%. I use a password manager and thought I a 15 character PW was overkill; time to rethink that for sure.
20% is a start continue to watch and it will improve. Thank you for the support
@Charles White 😂
Amazing video, and much important,
tnx 😊
Thank you 🙏
By the way, there is one more. Even if you have the cookie for the username, password, and token, Google will also check the IP address gateway you are using to make sure it is you. if not, they will send an sms to you. If you allow it.
Nice video and this is one of a few that I have found that went into depth on this way in to peoples accounts thanks again
What security key would work for for most of the common applications say emails say gaming battle net steam and stuff like that. That way say I wouldn't have to get 4 or 5 of the security keys for them is my question?
Thx appreciate it
There will come a time when not even super long passwords are not enough. With advances in quantum computing almost any sequence can be decrypted in seconds to minutes, eventually.
While some forms of encryption are vulnerable to quantum computing, hash functions are not, as far as anybody's been able to tell. So your password is still secure
Passwords are stollen anyway, don't think anyone is cracking them, websites have a limit of tries
יניב, אחלה וידיאו. תשתדל להגיד פישינג עם פ רכה כמו דייג במקום פ קשה כמו פישינג (להשתין)
לגמרי , טעות שלי ואתקן . שוב תודה רבה על הפידבק ❤️
luv from odisha ❤
Great overview. Please, check the pronunciation of retrieve and launch.
Thank you 🙏
Recommend you frame yourself more prominently in your videos. If you frame your figure like that, you diminish your presence. Look up videos on "cinematic composition" here on YT to learn what would be beneficial.
Subscribed immediately, wow great content sir.
Thx you so much
Sir make full dedicated video on Evilginx tool how to configure and use it humble request
Ok will plan
What do you say about the risk of using password manager? If compromised it like the whole of your power house is exposed.
I have always been sceptical about it.
Very good point . In nutshell the right approach involves combination of strong security practices, risk management and on going vigilance. If you follow it you can minimize the risk of a password manager compromise and protect your online accounts and personal info. I can elaborate if you wish
@@yanivhoffman your quick reply quite intriguing to me. I so much appreciate that.
Please elaborate, I am much interested.
You smashed that 100 likes, have you made a video explaining it yet?
Still not but in planning . Will update accordingly
SMS is not really 2FA, because for 2 factors to work, one has to be something you know and next is something you own. SMS is not secure and hackers could use MITM attack to intercept the one time passcode. Or, they could use a phishing attack and exploit vulnerabilities in the SMS account recovery process to get hold of the verification code. While you are still in procession of your phone (something you own).
Why does the number for 2FA have to be so long? I would think a 4 digit number is plenty as it is a random number and the site can easily limit guesses to 3 and generating a new random number if you fail 3 times. Instead I get a 10 digit number texted to me. I don't understand why this is nessisary?
where are you located hoffman?
im a devops engineer, and i like what you do,
i think we're neighbors
i would like to see more content creators from our country making video in english
sharing our vast nation high tech knowledge and expertise
way to go
Singapore
yeah sure haha ;)
Do you live in Bangkok? The view is very similar to Bangkok!
Very good video btw
Thx a lot for the kind words. I live in Singapore 🇸🇬
@@yanivhoffman cool! Looks very similar to BKK
Interesting insight, thank you! :)
Thank you so much
If you are abroad and the second piece of authentication is sent over the phone, you may face a complete failure for plenty of reasons, one of which is your phone inability to work with the local system.
Your accent makes it sound like you are saying "to f#ck the authentication"
And i love it. :)
Thank you for the video, I am glad I found you!
Thanks so much for the kind words. Appreciate it
You didn't mention the SS7 man in the middle attacks that are common as well. Also OpenBTS (and similar professional equipment depending on your connections and money) can be used to intercept SMS's .
True and thx for adding
תותח!
Thx 🙏
Mate, you are in Thailand? because the background looks familiar for me.
ימלךך
סרטון מושקע ומעניין תמשיך כך :))
Thx a lot 🙏
Recently someone hijacked my cookies. Nice explain
hi i wanted to ask does clearing cookies from google or logging out from any website that has your information protect you from when you download a exe file that contains a virus?
Mr Hoffman, how about a way to mitigate the SMS attack is to use a second number/sim unknown to anyone else but you. And use that number to receive sms tokens. Not bulletproof but minimizes the impact of sim swap for your main sim/number which can be easily found.
If my logins are already encrypted I fail to see how a VPN makes me any safer. Am I missing something?
Obviously TOTP codes don't have to be kept on a user's smartphone. That's a stupid thing to mention. Have you never used Bitwarden or the WSA?
Subscribed, great work thank you
Thank you 🙏
All of this stuff requires being able to attack a user's browser, which means the attacker has at least network access, or some form of man in the middle. For the most part, the idea behind 2FA is not to protect from these two situations. 2FA is merely a method of protecting against what you "have" vs what you "know". As a hacker, you may know a password, but you may not have a hardware token. Hacking a way through that with man in the middle or direct network access is not the point of 2FA, other tools are supposed to protect a user from that.
Any suggestions on how Software Developers could write more secure code and minimize the chances of a breach.
- Get your devs some pentest, or security training. If they can see how attacks are done in real life and what caused the malfunction in the code, they are more likely to write it better
- Reduce your software stack. If your tech stack has more letters in it than the whole lgbt acronym, it's hosted in cloud with CDN in front of it and the app just displays a random picture of a puppy every time you visit it, it's over engineered.
- Use tested and verified open source projects when you can and contribute if it's missing a functionality, instead of writing the thing from scratch. Easier to check the code for problems and you give back to the community a little. Let's be honest, we all owe it a lot
- Don't use Javascript unless... Just don't
@@lamjeri Can you talk more about why Javascript is bad?
I doubt there is a website today that does not use JS.
@@mucholangs Well, that's kinda the problem. JS is used everywhere, even in places where it doesn't have to be. It's often installed just 'cause, even though the project doesn't need / use it (static websites). Just of the top of my head, I remember 3 major incident involving Java script.
- There was the infamous Log4j. Library used by what seemed to be every project on earth with vulnerability, which allowed for remote shell. And it was so stupidly simple to take advantage of it, that you just had to type command into Minecraft chat to misuse it.
- Recently, there was a bug in library which handled (ECDSA ?) certificate checking. Problem was that the code didn't check if the client data wasn't 0, which breaks the math that does the actual check. The guy who wrote the library didn't even bother to read the wiki page, where it says in the first few paragraphs, that this is a mandatory check for things to work. Result was that you could just send a few zeroes instead of your certificate and it would be considered valid.
- Then there was the leftpad incident. Which is more of a funny story than a security vulnerability, but it just shows that Javascript might have a very deep problem with its package management system.
I guess it's kinda inevitable with popular languages (I wonder if Python will be a subject to this as well) and a lot of unskilled people starting their career with it cause of hype. Especially when it's a publicly facing code that can be accessed and broken by more skilled individuals around the world. But considering these (and much more over the years), I consider Javascript a really big *hit hole that everyone keeps using and every now and then, things just overflow.
@@lamjeri Vulnerabilities exist in every software. That is one of the reasons that patches, and new versions are constantly being released.
I remember when SQL injection attacks were so common and trivial in MySQL. I also recall when popup bombs were common in Javascript. But all those have been fixed. The Log4 vulnerability you mentioned has been fixed too. Telling people to not use Javascript makes no sense to me.
@@mucholangs Yes, that is true. Some software is worse than others though.
Injection attacks are not problem of the language itself, but wrong handling of user input.
I don't argue that it's needed currently, as there is virtually no alternative in certain use cases. But I do think that the language has some deeply embedded problems and the combination of inexperienced people and publicly facing code is disastrous.
Good evening. Do you think the password managers or the passcode storage is a safer place to store all you pass codes for various accounts. Will it be all the eggs is one basket? It's always a frequent hassle "forget you password?' Could you please comment. Thanks.
I was wondering why my old telecom sent me a sim from their main company (smart) and i was using another sim (sub service) from a sub company from them. I never asked for a sim update also. Then next thing i know my devices were all being hacked and controlled.
Very informative. Thank you, I learn something interesting today.
thanks for ur time, great learning
Thank you 🙏
My brain kept hearing "TO F*CK TOROUGHTENTICATION" until it learned that it was just a strong Israeli accent.
Yes yes I’m sorry 😂 working on it
@@yanivhoffman: Please don't! Much more fun with different accents all around the world. :)
I love your accent! Especially the way you say "two fuck-tor" 😉
😂
All support to you , please keep up
Thank you 🙏
Wish I had seen this when it got posted. I fell for it just last week (No harm done, I was quick enough noticing something went wrong and fixed it right away)
wat hapend?
@@jimmybrad156 I had a moment of "being an idiot" !
@@mavadelo clicked on a funny link? did something a stranger on the phone said to do? got me all curious now!
@@jimmybrad156 I trusted a link from a long time steamfriend. Sadly it seems he fell for it too. A "vote" link for some compteition. Knowing he was into modding I trusted the link, "logged in with Steam" and basically noticed straight away something was funny (login procedure was ever so slightly bugged) so gladly I was quick enough to avoid major damage. A few friends were contacted with the same message I got so I was able to warn them not to click. Never trust a link on Steam, not even from long time friends.
Why do I think the people who created the security depended solely on obscurity to keep it from being compromised?
Not sure I like the suggestions for a password keeper. Why you like those specifically makes me feel you like it because they have ads that support this channel.
Thx for feedback. Just to be clear , I’m not sponsored by any password manager or anyone actually ! Its only my preference
@@yanivhoffman Appreciate your honesty.
Great video, thanks
אחלה סירטון אחי נהנתי מכל רגע
תודה רבה!!🙏
Yaniv, I love your videos buddy but you need to stop saying "P"ishing, as it cracks me up each time, as in English or slang UK dialects of the language, it means the same as the act of peeing, urinating or relieving one's self :-) We pronounce it "F"ishing (like you would do with a rod or net), even though the spelling is Phishing. That aside, thanks for great explanatory videos even though I am an IT veteran of 36 years myself. I started as a techy nerd in the early 80's with the first home computer then it became a career and business through the evolution of distributed systems, networks and the internet. I'm still a nerd at heart, although I'm a more senior one these days, so keep them coming!👍
Thx a lot for the kind words . I’m working on the slang as well :)
Thanks for the great content!
Happy you enjoyed
Excellent summary.
Thank you 🙏
I think password managers are a terrible idea as you're effectively trusting an unknown entity on the Internet with all of your passwords. Wasn't one of them compromised recently?
Password managers are only part of an holistic solution and can’t stand by themselves .
Hallo, zou je misschien ook video's kunnen maken in 't Nederlands. Leert wat sneller❤️💪🏽 respects ga zo door!!!
thanks good overview of topic
really thanks a lot for the great information and the easy demonstration...after that video and I'm already subscribed to ur channel.
Thanks and welcome
@@yanivhoffman some one hacked my fb account using that technique...can he login again with that cockie with him despite of I already changed password after that immediately.
Very Nice Information but can you have me to recover my Facebook Account???
You earned a subscriber
Thx a lot
Instantly subbed
i wish there was a way to country block logins or make it very region locked and rather than just way way of loging in you have to verify authenticator app and sms.
Thanks for the video. I'm a software developer and not a security expert, a distinction a lot of people cannot understand. About a week ago my neighbours came around to my house to explain that their bank had blocked their account. It seems that one of them had accidentally installed an app that was malware on the phone (some kind of PDF AI scanner) but that phone also had an app from the bank. They wanted my help to try and retrieve as much of their own information from the phone before they planned to do a factory reset. What happened next surprised me, it was an Android phone and we opened the play store and went to play protect. It immediately came back with an alert that some harmful software had already been detected and removed from the phone.
My question is then, does Android actively scan for such harmful software? Is it possible that other apps running on the phone have access to an API so that they can be alerted if malware is detected and so restrict their own functions? I mean how did their bank know that one of them had malware and to block their account just in case?
It may be that the malware attempted an illegal action on the banking software, which the bank detected and locked their account. This is rather a testament to how a bank should react to anomalies and attempted attacks.
The SIM swap at least where I am is not a problem as you would need to somehow do a real life impersonation with a stolen ID card at the service providers store.
If you somehow managed that the owner of the phone is likely to notice that his phone stopped working fairly quickly so this would only really work in a highly oragnized and targeted attempt.
SIM swap attacks are a huge issue for One Time Passcodes that financial institutions send before allowing you to do certain actions with your accounts. For example, a sim swapped device looks like the trusted user, allows them to add a new Zelle payee and the money is transferred out of the account in mere moments. In this case, the damage was stealing your money not your identity.
I also don't get how the sim swap works, he didn't explain it. Also how do they know your number? It must be something very targeted.
@@cristibaluta In most cases, SIM swap is the result of social engineering / ID theft. The fraudster convinces the mobile carrier to port the SIM from the current device to a device they control. When this happen, the real user's phone stops working and the phone the fraudster controls is enabled. From this point, 2FA is sent to this new device. This allows the fraudster to cause a lot of damage. This is why the suggestion is to not have all 2FA go to the same device / app.
@@AxGryndr yes but how exactly will the thief get my Sim without impersonating me at the local service provider shop?
Where I am the shop is not going to sell you a SIM copy without disabling the old one and the shop will want the actual contract signer for the phone number to be present (with ID) before making you a new SIM, so you will need to steal the persons identity first before actually getting the SIM copied.
So how exactly are they going to get my SIM without literally stealing my phone or doing a Mission impossible face mask trick (as just making a convincing copy of the identity card does not work, since they write in the number and into the system and your mandated pic is going to show up in the program)?
@@exol511 They don't need the actual SIM because they convince the carrier to do the swap over the phone.
You have conflated 2FA with '2 Step Authentication'. Two very different things. 2FA being much more secure. Unfortunately, you are not alone as an IT professional in failing to make the distinction.
Thank you for this excellent video.
Thank you for the kind words
Great content, subbed.
Greetings, can you make a paypal bypass video?
What on earth? I thought 2FA was safe... Subscribed.
😂
2FA is still better than 1FA. But in the end, no system is 100% unhackable
@@esquilax5563 true! No 100% protection
You definitely passed the 100 likes goal lol
Big time indeed ❤️